Obstruct shell, SQL, and conninfo injection via database and role names.

Due to simplistic quoting and confusion of database names with conninfo
strings, roles with the CREATEDB or CREATEROLE option could escalate to
superuser privileges when a superuser next ran certain maintenance
commands.  The new coding rule for PQconnectdbParams() calls, documented
at conninfo_array_parse(), is to pass expand_dbname=true and wrap
literal database names in a trivial connection string.  Escape
zero-length values in appendConnStrVal().  Back-patch to 9.1 (all
supported versions).

Nathan Bossart, Michael Paquier, and Noah Misch.  Reviewed by Peter
Eisentraut.  Reported by Nathan Bossart.

Security: CVE-2016-5424

1 files changed, 14 insertions, 1 deletions

diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c
index 1608bf414c4..9c0af4e8482 100644
--- a/src/bin/psql/command.c
+++ b/src/bin/psql/command.c
@@ -1785,6 +1785,7 @@ do_connect(enum trivalue reuse_previous_specification,
 	bool		keep_password;
 	bool		has_connection_string;
 	bool		reuse_previous;
+	PQExpBufferData connstr;
 
 	if (!o_conn && (!dbname || !user || !host || !port))
 	{
@@ -1846,7 +1847,15 @@ do_connect(enum trivalue reuse_previous_specification,
 	 * changes: passwords aren't (usually) database-specific.
 	 */
 	if (!dbname && reuse_previous)
-		dbname = PQdb(o_conn);
+	{
+		initPQExpBuffer(&connstr);
+		appendPQExpBuffer(&connstr, "dbname=");
+		appendConnStrVal(&connstr, PQdb(o_conn));
+		dbname = connstr.data;
+		/* has_connection_string=true would be a dead store */
+	}
+	else
+		connstr.data = NULL;
 
 	/*
 	 * If the user asked to be prompted for a password, ask for one now. If
@@ -1955,8 +1964,12 @@ do_connect(enum trivalue reuse_previous_specification,
 		}
 
 		PQfinish(n_conn);
+		if (connstr.data)
+			termPQExpBuffer(&connstr);
 		return false;
 	}
+	if (connstr.data)
+		termPQExpBuffer(&connstr);
 
 	/*
 	 * Replace the old connection with the new one, and update